FTC sues data broker for selling sensitive location data

Idaho-based Kochava has allegedly sold location data traceable to reproductive health clinics and domestic violence shelters.

UNITED STATES - MAY 18: FTC Chairwoman Lina Khan and SEC Chairman Gary Gensler testify during the Ho...
Tom Williams/CQ-Roll Call, Inc./Getty Images

The Federal Trade Commission is suing Kochava, a data analytics company, for selling location data from “hundreds of millions of mobile devices.” The geolocation data in question included identifiable information that could trace individuals back to plenty of sensitive locations, like reproductive health clinics, places of worship, domestic violence shelters, and addiction recovery centers.

Selling this data, the FTC alleges, boils down to Kochava “enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence.”

Kochava doesn’t seem bothered by these overwhelming allegations. Brian Cox, the company’s general manager, said in a statement that the FTC “has a fundamental misunderstanding of Kochava’s data marketplace business and other data practices.” He added that Kochava operates “consistently and proactively in compliance with all rules and laws.” All of them!

Location location location — Data privacy concerns have circulated through tech watchdog organizations for a long time now, but location data in particular has received extra attention as of late. The collapse of Roe v. Wade has given rise to intense concerns that location data could be used to track those who receive abortion care — and we’ve already seen some cases where that data is indeed available for purchase.

The FTC’s goal here is to stop Kochava in its tracks. No more collection of data, no more sales, and the deletion of its enormous databases. It’s no wonder Kochava isn’t exactly ready to admit to its faults and let the FTC get its way.

Like many data brokers, Kochava claims its data is “anonymized.” But its data is very precise and comes attached to a device ID. The FTC points out that, though this identifier can technically be reset at any time to actually anonymize that data, the vast majority of consumers don’t know this is even an option.

Thanks, FTC — This case is big not just for Kochava but for how the FTC looks at data brokers more largely. Back in July, the FTC published a very cryptic blog post that re-upped its commitment to keeping private data anonymous; we’re now watching that promise take action.

We’d expect to see plenty of similar legal action taken in the not-too-distant future. If we’re really lucky, the FTC might even help draft some legislation that would stop these companies from selling sensitive data before they’ve spent years doing so.